We are migrating CKEditor issue tracking to GitHub. Please, use GitHub to report any new issues.

The former tracking system (this website) will still be available in the read-only mode. All issues reported in the past will still be available publicly and can be referenced.

Important: we decided not to transfer all the tickets to GitHub, as many of them are not reproducible anymore or simply no longer requested by the community. If the issue you are interested in, can be still reproduced in the latest version of CKEditor, feel free to report it again on GitHub. At the same time please note that issues reported on this website are still taken into consideration when picking up candidates for next milestones.

Check for valid file extensions is not enforced everywhere

Description

Since it is possible to set allowed/denied file extensions for all 4 file types, there properties should be checked everywhere a file is going to be upload.

For example, if you upload a file directly through the image plugin it checks for a valid extension. If you upload through the file browser, it does not check for extensions. It has to be made on the server.

This complete coverage would make it superfluous to check for the extension on the server-side.

This ticket does not identify a bug, but a missing feature. It is a request to have the file extension checked on the client side for uploads in the File Browser.

The fact is that the Upload Tab in the dialogs, are part of the FCKeditor interface. Therefore, it is ok to have settings in the fckconfig.js file, that list the allowed/denied extensions to be uploaded through those tabs.

In the other hand, it is well know that FCKeditor integrates transparently with File Managers through the "Browse Server" button. But, it is important to note that FCKeditor and the File Manager (including the default one), are completely separated applications.

The current settings in fckconfig.js actually represent a problem, as they are not automatically aligned with the extensions set in the file browser configuration file. So, to make it work properly, changes in one configuration file must be copied to the other one.

We could instead work to make the File Browser "intelligent", retrieving from the server the list of extensions, enforcing client side checks according to it. We should definitely propose such feature at our advanced File Manager, CKFinder. The default File Browser may live without it as this is not a critical thing.

This "intelligent" approach would work well for the File Browser, but not for the Upload Tabs instead, as the tabs don't know the File Browser features. So, for the tabs, we would still have the fckconfig.js settings as a facility.

In all cases anyway, we must ensure all security checks in the server side, as we are already doing today.